On the (In)Security of 4G - Part VI: 4G Security - A First Look

A first Look

Wow, if you simply Google “LTE Cybersecurity”, you get 3,930,000 results back (2020-07-06).
What about Google Scholar?
“LTE Cybersecurity” leads to 3,640 results (2020-07-06).
Alright, that is easier to digest. And with our combined knowledge from part III, part IV and part V, e.g. about the most relevant 3gpp documents on Long Term Evolution (LTE) security (33er-series, 33.401 - 3GPP System Architecture Evolution (SAE); Security architecture, 33.402 - 3GPP System Architecture Evolution (SAE); Security aspects of non-3GPP accesses) we can simply begin by getting an overview of 4G security and the initial attach procedure.

LTE Security - Prerequisites

NIST published a paper called “Guide to LTE Security” [Source] and we will begin with that.

We begin with all entities in our LTE security model:

This will be again a recap of our findings in part III, especially with the communication entities, but this time, we will regard them with their security purpose.

LTE Security - The Mobile Device

The mobile device is composed of (1) “a general purpose mobile OS” (Android, iOS, …) and (2) a system for accessing the cellular network with its distinct baseband processor.

In the 33.401 standard, the mobile device is referenced as User Equipment (UE), which refers to four things: (1) terminal with mobile OS (Android, iOS, …), (2) baseband processor, (3) LTE radio and (4) removable hardware token (“Subscriber Identification Module (SIM) card”) - Universal Integrated Circuit Card (UICC). The UICC is a smartcard, that runs a Java application called Universal Subscriber Identity Module (USIM). The USIM application, in turn, communicates with the cellular radio and thus th mobile network. Alright so far so good. But now comes the most important part:
“The UICC contains secret cryptographic keys that are shared with the [Mobile Network Operator (]MNO[)] before it is provisioned to a user.”
So we are dealing here with pre-shard keys, handed out from the MNO via “SIM-Card” or UICC to the user.
As next step the mobile network needs to know who the one is, taht is trying to communicate with the network. There are two identifiers: (1) the International Mobile Subscriber Identity (IMSI) and (2) the International Mobile Equipment Identifier (IMEI). The IMSI is a longterm identity used to identify a subscriber to the carrier. The IMEI is a longterm identity used to identify the mobile device to the network. As it is either stored in the mobile device’s internal flash memory or the UICC, it is either device, or UICC bound.
The interesting part here, is that the network identifies the user and its hardware via two distinct longterm identifiers! Also that they are distinct worldwide is very interesting to note!
To sum it up:

• UE is a cellular device (smartphone, tablet, …) with:
  • Mobile Equipment (ME): Mobile terminal without hardware token
  • UICC: Smart card, running the Java USIM application and storing personal information, cryptographic keys and enabling network access. The UICC is inserted into the ME, building the UE entity.
  • IMEI: Terminal identity to identify a specific mobile device to a cellular network.
  • IMSI: User identity to identity a subscriber to the cellular network.

As IMEI and IMSI are longterm identities and device or UICC bound and thus valuable for any attacker to intercept, there are also temporary identities. These are the Globally Unique Temporary Identity (GUTI), used to identity a UE to a network without reveiling the IMSI and the Temporary Mobile Subscriber Identity (TMSI). They will both play an important role later.

LTE Security - E-UTRAN

The Evolved Universal Terrestrial Radio Access Network (E-UTRAN) is LTE’s Radio Access Network (RAN). Essentially the E-UTRAN is a mesh network of base stations - evolved Node B (eNB). UEs connect to the E-UTRAN to pass and receive data to and from the Core Network (CN). eNBs modulate and demodulate radio signals to communicate data with the UE, allocate resources to the UE’s, prioritize data, keep the network “alive”, are used for positioning purposes of UE’S within a cell, provide mobility services and handovers for the UE and much, much more. eNBs communicate via the X2 interface among each other allowing a user to pass from cell to cell, without any noticeable interruption of service.
However during a mobility transition from one cell to another, all UE context (UE and User ID, security parameters, mobility states) must be passed from one eNB to another.
To sum it up:

• E-UTRAN: Radio network providing mobility services to the user
  • eNB: A Base Station
  • Small Cell: Low powered base station (e.g. Home eNodeBs (HeNB), Donor eNodeBs (DeNB), and Relay Nodes (RN))

LTE Security - The Evolved Packet Core

The backend of LTE handles routing and computing to keep the (user) data flow alive. The most important entity here is the Mobility Management Entity (MME), as it is responsible for “managing and storing UE contexts, creating temporary identifiers, paging, controlling authentication functions, and selecting the Serving Gateway (S-GW) and Packet Data Network (PDN) Gateway (P-GW)” [Source]. It is solely used for control data. The S-GW is an anchor point for intra eNB switches of the UE and routes information between P-GS and E-UTRAN. Finally the P_GW is the default router for the UE, enabling transfers between 3GPP and non-3GPP services (e.g. IEEE 802.11 services aka “Wifi”), allocating Internet Protocol (IP)s to the UE and connecting UE and PDN for user data to finally flow.

To sum it up [Source]:

• EPC: Routing and computing for the LTE network
  • MME: Network signaling node. Wide range of services, e.g. managing/storing UE contexts, creating temporary IDs, sending pages, controlling authentication functions, and selecting the S-GW and P-GWs.
  • S-GW: Carries user data, anchors UEs for intra-eNodeB handoffs, and routes information between the P-GW and the E-UTRAN.
  • P-GW: Allocates IP addresses, routes packets, and interconnects with non-3GPP networks.
  • Home Subscriber Server (HSS): Master database with subscriber data and stores the secret key K.
  • Authentication Center (AuC): Resides within the HSS, maps long term identities to pre-shared cryptographic keys, performs cryptographic calculations during authentication.
  • Policy and Charging Rules Function (PCRF): Rules and policies related to quality of service (QoS), charging, and access to network resources are distributed to the P-GW and enforced by the PCRF
  • IP Multimedia Subsystem (IMS): Gateways to the Public Switched Telephone Network (PSTN), multimedia services, and paging for multimedia services.
  • Backhaul: Connection between radio network and the core network. This connection can be any link (e.g., Fiber, Ethernet cable, …)
  • PDN: Any external IP network (e.g., Internet)
  • Access Point Name (APN): Serves as the identifier for a PDN, and is the gateway between the Evolved Packet Core (EPC) and PDN. The APN must be specified by the UE for each PDN it connects to.

LTE Security - Notes on LTE Network Topologies

It is important to note, E-UTRAN and EPC can be geographically located in totally different regions. There are two major different operational network topologies: (1) fixed and (2) deployable.
A fixed LTE network is a large region, where network coverage is provided by many cells, created by eNBs all connected to EPCs. The components of the E-UTRAN are interconnected and can communicate tot the EPC via the S1 interface.
A deployable LTE network can be deployed in areas, where no LTE coverage exists or where services were interrupted. This allows the creation of a self-contained network or the connection to other existing LTE/other networks.

LTE Security - Network Protocol Layers

In part IV we talked a lot about user and control plane protocol stacks. Here we will explain the security relations to each protocol layer. In general cellular protocols are divided into two strata: Non-Access Stratum (NAS) and Access Stratum (AS). “The AS is all communication between the UE and eNodeB occurring via the Radio Frequency (RF) channel. The NAS consists of all non-radio signaling traffic between UE and MME. All of a user’s Transmission Control Protocol (TCP)/IP and other application traffic are transmitted via the user plane. The control plane, which is required to setup, maintain, and terminate the air interface connection between the UE and the MME, hosts the Radio Resource Control (RRC) protocol.” [Source]

Packet Data Convergence Protocol (RDCP), Radio Link Control (RLC), Medium Access Control (MAC) and PHY are the foundation of the air interface and host both user and control planes (described in depth here: part IV) With the differentiation between AS and NAS, the parts each protocol layer play become more apparent. Anything NAS related such as “broadcasting system information, establishing a connection with the eNodeB, paging, performing authentication, bearer establishment” is handled by the RRC. Anything AS related, such as “header compression, packet reordering, retransmission, and access stratum security” is handled by the PDCP. The Security Architecture of the System Architecture Evolution (SAE) (TS 33.401) specifies all cryptographic protection to be handled within the PDCP.

LTE Security - LTE Bearers

In part IV, we already discussed bearers. Essentially connections established between endpoints, enabling user data traffic to flow, are called bearers. Each bearer contains specific information about “traffic class, bit rate, delivery order, reliability, priority, and quality of service”. Furthermore a bearer can span multiple interfaces (UE - eNB - X2 - eNB). There are signaling radio bearers, established on the control plane allowing signaling communication between UE–eNB, eNB–MME, and transport bearers allowing user plane data transmission.

OVerall there are four must-be-established radio bearers [Source - Chapter 4.2.2]:

• Signaling Radio Bearer 0 (SRB0): SRB0 is for RRC messages using the CCCH logical channel;
• Signaling Radio Bearer 1 (SRB1): SRB1 is for RRC messages (which may include a piggybacked NAS message) as well as for NAS messages prior to the establishment of SRB2, all using DCCH logical channel; It is also responsible for the exchange of security information, measurement reports, fallback parameters, and handover information.
• Signaling Radio Bearer 2 (SRB2): SRB2 is for RRC messages which include logged measurement information as well as for NAS messages, all using DCCH logical channel. SRB2 has a lower-priority than SRB1 and is always configured by E-UTRAN after security activation.
• Signaling Radio Bearer 4 (SRB4): SRB4 is for RRC messages which include application layer measurement reporting information, all using DCCH logical channel. SRB4 can only be configured by E-UTRAN after security activation.

Once all SRBs are set up and active, the UE is connected to the CN via a eNB and ready to transmit and receive user data. As there are multiple connection points (UE–eNB, eNB–S-GW, …) for user traffic to pass, multiple bearers must be established. For full UE network connectivity, the following bearers must be set up [TS 36.414]:

• Data Radio Bearer (DRB): UE <– Uu air interface –> eNB; Enables data communications between UE and eNB.
• S1 Bearer: eNB <– S1-U –> S-GW
• E-UTRAN Radio Access Bearer (E-RAB): UE <– DRB + S1 bearer –> S-GW
• S5/S8 Bearer: S-GW <– user data plane –> P-GW
• EPS Bearer: UE <– E-RAB + S5/S8 (user data plane) –> P-GW
• External Bearer: P-GW <– user data plane –> External Resource (outside EPC)
• End-to-End Service: UE <– EPS + External Bearer –> External Resource; Finally enables full access from UE to resource outside the EPC

All bearers, signalling and transport, are established on a needed basis.

Summary

In this part about LTE security, we covered LTE entities and their security relations to each other. We also mentioned the protocol stack again and detailed the security functions each layer has. One extension to part IV, was also a more detailed description of LTE bearers. Bearers essentially enable the End-To-End services between your phone and the Internet, as they close the gap between LTE network entities, building up multiple bearers between the different network layers until they have made a full connection between UE and Internet.

Here you can read Part V and Part VII.

See you soon. :)

Abbreviations

• Access Point Name (APN)
• Access Stratum (AS)
• Authentication Center (AuC)
• Core Network (CN)
• Data Radio Bearer (DRB)
• Donor eNodeBs (DeNB)
• E-UTRAN Radio Access Bearer (E-RAB)
• Evolved Packet Core (EPC)
• Evolved Universal Terrestrial Radio Access Network (E-UTRAN)
• Globally Unique Temporary Identity (GUTI)
• Home Subscriber Server (HSS)
• Home eNodeBs (HeNB)
• IP Multimedia Subsystem (IMS)
• International Mobile Equipment Identifier (IMEI)
• International Mobile Subscriber Identity (IMSI)
• Internet Protocol (IP)
• Long Term Evolution (LTE)
• Medium Access Control (MAC)
• Mobile Equipment (ME)
• Mobility Management Entity (MME)
• Non-Access Stratum (NAS)
• Quality of Service (QoS)
• Packet Data Network (PDN)
• Policy and Charging Rules Function (PCRF)
• Public Switched Telephone Network (PSTN)
• Radio Access Network (RAN)
• Radio Frequency (RF)
• Radio Link Control (RLC)
• Radio Resource Control (RRC)
• Relay Nodes (RN))
• Serving Gateway (S-GW)
• Signaling Radio Bearer 0 (SRB0)
• Signaling Radio Bearer 1 (SRB1)
• Signaling Radio Bearer 2 (SRB2)
• Signaling Radio Bearer 4 (SRB4)
• System Architecture Evolution (SAE)
• Temporary Mobile Subscriber Identity (TMSI)
• Transmission Control Protocol (TCP)
• Universal Integrated Circuit Card (UICC)
• Universal Subscriber Identity Module (USIM)
• User Equipment (UE)
• Subscriber Identification Module (SIM)